Coffee Addicts
Enum
IP: 192.168.1.159
Note: Add coffeeaddicts.thm to /etc/hosts
Nmap
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Port 80
Gobuster (dir)
ffuf -w /usr/share/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://coffeeaddicts.thm/FUZZ -icwordpress [Status: 301, Size: 326, Words: 20, Lines: 10]
[Status: 200, Size: 735, Words: 95, Lines: 32]
WordPress
http://coffeeaddicts.thm/wordpress/
Wpscan reveals a username ‘gus’
Checking the comments of the second post shows us a hint
*Hint: password is in the image above…
Now we can login to the admin panel, checking out the app quickly.
I see we can edit the plugin files.
You can check Akismet plugin and edit the php for a reverse shell, either a php rev shell or basic webshell will do.
Then call the URL for the akismet.php file to activate your reverse shell.
http://coffeeaddicts.thm/wordpress/wp-content/plugins/akismet/akismet.php?c=id
User
After getting a reverse shell and checking out the files in Gus's home directory we see a readme.txt and the flag
readme.txt
hello, admin.as you can see your site has been hacked, any attempt of fixing it is futile, as we removed you from the sudoers and we changed the root password.~Nicolas Fritzges
Flag
THM{s4v3_y0uR_Cr3d5_b0i}
In the other users home folder we can find a .ssh file, its password protected. Using ssh2john we can crack the password
python3 ssh2john.py id_rsa > hash
Root
Now we can ssh into the box as badbyte, running sudo -l shows
The path to root is clear now and to the last flag!
sudo /opt/BadByte/shell
flag
THM{im_the_shell_master}